SANS Penetration Testing

If Windows Management Instrumentation (WMI) is the Matrix then its console (WMIC) is Neo.

WMI is the Microsoft variant of Web Based Enterprise Management (WBEM) and Common Information Model (CIM). Essentially, it forms the connective tissue that defines application specific characteristics to enable cohesive interactivity between systems from differing sources. For the information security practitioner, WMI provides a mechanism to query an underlying system with a massive amount of capability and information built in. In this post we explore the robust set of features available within WMIC.

The wmic process list full command displays all the information available for a process. Output data here is substantial and frequently overwhelming. Here is what the output (for one process) looks like:

wmic to get a full listing of the running processes:wmic process list full

From the information listed, the key fields that may require additional investigation include:

1. CommandLine - If run with any options, for example nc -l -p 4444, it would appear here.

2. ExecutablePath - This is where the binary executes from

3. ParentProcessId - At times there may be a child/parent relationship which may be exploited

4. ProcessId - The PID of the process

Process list full provides an excessive amount of data. Data handling is advised. Consider leveraging more or storing stdout into a text file:

Bonus - Services, Autoruns, and Remote Command Execution, oh my!

Wmic is a critical component in any information security professional's bag of tricks, and we would be remiss not to discuss some of its extended features. For instance, a particularly useful technique for detecting network intrusions is to target common persistence mechanisms utilized by threat actors. Wmic can be used to quickly identify applications that run on system reboot.

Finally, when moving laterally, wmic provides a tried and true method for leveraging network credentials to perform remote command execution and establish sessions on an endless stream of hosts. In this fashion, wmic functions much like psexec, but it has the added benefit of existing by default on all windows operating systems from Windows Me and NT onwards.

Conclusion

WMIC is a great tool for moving within and manipulating the environment with native capability. Not only is it incredibly powerful, but will likely draw less attention than many other more distinct and well known pentesting tools. Only the shallowest depths of its functionality are explored here, but the potential is nearly endless. Try, explore, and learn!

Print Your Own:

Get all of the CMD.exe tips from the SANS Pen Test Poster: "White Board of Awesome Command Line Kung-Fu!"